Data breaches are escalating. Many organizations still do not encrypt their data. If they do, many still use the vulnerable 56-bit "Data Encryption Standard." And breach notification guidelines are still vague. U.S. federal and state legislation need to catch up with the circumstances.

In September, a medical privacy breach led to the public posting on a commercial website of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif. According to "Patient Data Posted Online in Major Breach of Privacy," by Kevin Sack in the Sept. 8 edition of The New York Times, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors to a website called Student of Fortune. Just in 2010, more than 5.4 million have been affected by U.S. health data breaches, according to a recent report from the U.S. Department of Health and Human Services.

Most American states and the U.S. federal government have reacted quickly to consider new legislation to address data breach problems in all sectors and possibly provide some protection to consumers and businesses.

One of the main issues that state and federal legislators address when they write new data breach notification legislation is the timely notice of breaches to consumers.

According to the Consumers Union, "Individuals need to know when there is a breach of the security of their sensitive personal information such as a Social Security number, government identification number, payment card information, or account number which provides access to finances or to financial information. Once the individual gets the notice of breach, he or she can take steps to prevent or detect identity theft. A strong notice of breach requirement creates an incentive for both companies and government agencies to work to prevent future security breaches." ("Key Issues on Financial Privacy and Identity Theft in Congress — 2007") Unfortunately, many organizations that have experienced security breaches do not see it this way.

At the heart of the issue is at what point in time, if ever, does the recognition of a data breach of an organization "trigger" a notice to the consumer whose personal information was compromised? All of the legislation at the state and federal levels has addressed this issue, and their recommendations are classified as "acquisition based" or "risk based."

Bear with me on this. According to U.S. PIRG, a public interest research organization, an " 'acquisition-based trigger' means [a] strong consumer-oriented notification requirement based on loss of information" and a " 'risk-based trigger' means loss of information does not trigger [a] notice automatically. Notice is subject to some analysis by [the] breached entity of the degree of risk to consumers." ("Summary of State Security Freeze and Security Breach Notification Laws")

A loss of information for acquisition-based trigger legislation means a real loss or a reasonable assurance of loss of unencrypted information only. This means that if the information is encrypted, notification of the breach is not required.

For risk-based trigger legislation, the entity whose data was breached has the right to make a judgment about the degree of risk for unencrypted information before it is required to release a notification. Encrypted information does not require notification.

A major weakness of the risk-based trigger approach is that it adds an additional risk standard that will eliminate notice of some security breaches involving sensitive personal information, according to the Consumers Union. "Under a [risk-based] trigger approach, a business does not have to give notice unless it determines that the breach creates a reasonable or even a higher level of a risk of identity theft or other harm. Consumers Union calls a risk trigger 'don't know, don't tell' because it excuses notice when there is insufficient information about the breach." This is comparable to putting the proverbial fox in charge of the chicken coop.

Thus, acquisition-based trigger legislation is considered stronger than risk-based trigger legislation but in reality not by much because in both cases encrypted information is not subject to notification, which is at the heart of the problem.